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QUALYS CLOUD SECURITY CERTIFICATION EXAM 


Qualys CloudView provides visibility and continuous security across all of your cloud environments. 


With CloudView you can: 

e Discover assets and resources across all regions from multiple accounts and multiple cloud 
platforms 

e Search resource metadata, view resource details and show associations across resources 

e  Out-of-box AWS, Azure, GCP policies 

e Continuously assess and report resource misconfigurations by checking against the controls 
from out-of-box policies 

e Build your own policies and customize controls to suit your need 

e View, filter and export misconfigurations 


Qualys CloudView - Connectors 


Qualys CloudView polls to gather metadata and resource information from your cloud provider 
accounts. This is done using Connectors. Connectors polls these different cloud provider platforms at 
configured intervals. 


Currently Qualys supports connectors for Amazon Web Services, Microsoft Azure, and Google Cloud 
Platform. 


AWS Connector 


PLAY J Lab 1 - https://ior.ad/7Qho 


e Each connector can only belong to one account type — Global, US GovCloud, or China. 

e The default polling frequency is 4 hours, this can be changed to a minimum of 1 hour and 
maximum of 24 hours. 

e Qualys recommends setting the Connector frequency as 4 hours. Configuring a lower frequency 
(less than 4 hours) may affect the performance of the Connector and result in AWS API 
throttling error. 

e When creating an AWS connector, Qualys generates a unique external ID — this needs to be 
provided when creating an IAM role, as shown below: 


Create role 


Select type of trusted entity 


AWS service e Another AWS account Web identity x SAML 2.0 federation 
EC2, Lambda and others @@ Belonging to you or 3rd part Cognito or any OpeniD 
ging to y party 


Your corporate directory 
Allows entities in other accounts to perform actions in this account. Learn more 


Specify accounts that can use this role 


Account ID* 805 e 


Options ^ Require external ID (Best practice when a third party will assume this role) 


You can increase the security of your role by requiring an optional external identifier, which 
prevents "confused deputy" attacks. This is recommended if you do not own or have 
administrative access to the account that can assume this role. The external ID can include 
any characters that you choose. To assume this role, users must be in the trusted account and 
provide this exact external ID. Learn more 


External ID 


IN1-2042-1636988037396 4— — —— 


e The "SecurityAudit" policy that is attached to the IAM role provides read-only permissions to 
Qualys. This role is used by Qualys connectors to make API calls to AWS to gather inventory and 
metadata. 


e When creating an AWS connector in Qualys CloudView, select the checkbox "Create Connector 
in AssetView" to replicate this configuration in the Qualys AssetView module. 


Role ARN * 


arn:aws:iam::636 :role/QualysAWSConnectorRole 


Enable Remediation 


Remediation allows you to resolve misconfigurations and execute actions against resource. Ensure that the connector has write 
access to the AWS account for which you enable remediation. 


Create Connector in AssetView 4———— 


Select to automate creation of same connector in AssetView. Ensure that your account has the required permissions in AssetView 
module for the connector to be created in AssetView. 


Base Account for AWS Connector 

For AWS Connectors, Qualys uses its own AWS account to poll for resources from the target AWS 
account. If you do not wish to use the Qualys accounts, you can use the base account feature to use 
your own AWS account for AWS API queries from CloudView. 


For example, you have 3 AWS accounts: Central Security Account, Production and Development. You can 
designate the Central Security Account as a base account to set up an AWS connector in CloudView to 
pull the resources from Production 8. Development account. 

Connectors for China region must use a base account. 


Create Base Account 


Title * 


BaseAccountForChina 


AWS Account ID * 


This should be a positive integer having length between 9 and 96 characters 


1234567891111 


Access Key * 


Access Key is required 8. Max Input length for Access Key is 255 characters 


Select Account Type 


Use in AssetView 


Azure Connector 
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e To create the Azure connector, you'll need permissions on Azure: 

o To register an application with your Azure AD — registering an app with Azure AD 
provides an application definition to Azure and allows the service to know how to issue 
tokens to the application based on its settings 

o Check Azure Subscription permissions to assign the application to a role in your Azure 
subscription. 

o To know how to check for and assign these permissions, use the Qualys CloudView user 
guide - https://www.qualys.com/docs/qualys-cloud-view-user-guide.pdf 

e Also, you'll need Owner permission on the subscription to assign a role to the AD app: 


o To verify your permissions, in your Azure subscription click your account name at the 
top-right and click "My Permissions." 


My permissions 


SF" Resource provider status 


Qualys 


You have the following access: 


u Your account ' qualys.com' has been assigned the role 'Owner' (type BuiltlnRole) and has access to Qualys 


e To create the Azure Connector, you'll need to obtain the following information from your Azure 
subscription and provide it to Qualys CloudView 
o Application ID — of the app you'll be creating 
o Directory ID — of the Azure AD 
o Authentication Key — a secret key you'll be creating 
o Subscription ID — of the Azure subscription 


Create Azure Connector 


Connector Details 
Give your connector a name and provide a description (optional). 


Name * 


Azure-Conn 


Account Type 
© Global US GovCloud 


Polling Frequency 


Configure the interval at which the connector should fetch data from Microsoft Azure cloud provider. 


Hours Minutes 
4 f 0 
Authentication Details 


Application ID * 
d8c3a45a 


Directory ID * 


ff4e2413- 


Authentication Key * 


Subscription ID * 


1d767489 


GCP Connector 


PLAY J Lab 3 - https://ior.ad/7Qjr 


e The following APIs need to be enabled to create the Connector: 
o Compute Engine API 

Cloud Resource Manager API 

Kubernetes Engine API 

Cloud SQL Admin API 

BigQuery API 

Cloud Functions API 

Cloud DNS API 

Cloud Key Management Service (KMS) API 

Cloud Logging API 

Stackdriver Monitoring API 


O O O O O O O O O 


Qualys CloudView - Resources 


Upon setting up your connector, it starts discovering the resources that are present in your cloud 
account. The Resources tab displays the information about various resources collected. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Nero SSESIA Te EE List View 


Q Search for resources discovered... Last24Hrs v 


1 4 1-140f 14 
Total Resource Types 
RESOURCE TYPE SERVICE TOTAL RESOURCES RESOURCES FAILED 


(B Instance EC2 429 0 
ACCOUNT a 
mom $ vec wio 42 133 
s © RDS RDS 13 13 
RESOURCE TYPE a Gn "m 405 0 
IAM User 2.10K 
Security Group 1.68K F vec 4 
S Gi 
EBS Volume 476 ecurity Group .68K 361 
Instance 429 mn vec 
Subnet 405 mum Route Table 22 0 
9 more 
(Q NetworkACL VPC 180 0 
REGIONS R 
N. Virginia 3.57K Ia S3 Bucket 26 126 
N. California 435 
Oregon 403 G Internet Gateway VPC 115 0 
Ohio 374 
Mumbai 274 ae Auto Scaling Group EC2 19 0 


Lab 4 - https://ior.ad/7Qiy 


Qualys CloudView supports the gathering of following resource types: 


AWS: 
e EC2 Instances 
e VPC 
e RDS 
e Subnet 


e Security Group 

e Route Table 

e Network ACL 

e S3 Bucket 

e  |nternet Gateway 
e Auto Scaling Group 
e Load Balancer 

e IAM User 

e EBS Volume 

e Lambda Function 


Microsoft Azure: 
e SQL Server 
e Function App 
e SQL Server Database 
e Resource Group 
e Virtual Network 
e Virtual Machines (created using Resource Manager only) 
e Network Security Group 
e Web App (App Service) 


Google Cloud Platform: 
e VM Instances 
e Networks 
e Firewall Rules 
e Subnetworks 
e Cloud Function 


Search Resources 


Queries can be used to search for resources within CloudView. Here are some useful search queries, 
these are commonly used to build inventory and identify misconfigurations: 


Identify running instances of a specific type, for example identify running t2.micro instances in AWS: 
resource.type:lnstance and instance.type:t2.micro and instance.state:running 


AWS Instances having a public IP and allowing inbound traffic on port 22 from anywhere and having 
an easily exploitable vulnerability (these instances could be easy target for exploitation): 
resource.type:"Instance" and vulnerability.threatlntel.easyExploit:true and NOT 
instance.networklnterface.publiclp is null and securitygroup.inboundRule.fromPort:22 and 
securitygroup.inboundRule.ipv4Range:0.0.0.0/0 


AWS Instances in North Virginia allowing inbound traffic on port 22 from anywhere (security groups of 
these instances should be reconfigured to only allow traffic from specific IPs): region:N. Virginia and 


securitygroup.inboundRule.ipv4Range:0.0.0.0/0 and securitygroup.inboundRule.toPort:22 


Publicly available S3 buckets on AWS (publicly open S3 buckets can cause data leak): resource.type:"S3 
Bucket" and s3.isPubliclyAccessible:true 


Public load balancers on AWS: resource.type:"Load Balancer" and elb.scheme:internet-facing 


Standard edition SQL Servers running on Azure: resource.type:' SQL Server Database" and 
sqldatabase.edition:Standard 


View Resource Information 


Clicking on any resource in the Resources section will provide detailed information about the resource 
and also shows its associations with other resources. 


© Qualys. Cloud Platform 


< Resource Details: demo-exploit1-Ib 


View Mode General: 
Summary 
Name: demo-exploit1-lb 
Summary NSM d 
demo-exploit1-lb ame emo] 
Associations VPC ID: 
First August 14, 2020 1:59 AM : ee 
T: Discovered 
iis Load Balancer On Scheme: internet-facing 
onto Evana Created At: August 13, 2020 6:57 PM 
Listeners 5 i 
Controls Evaluated Associations Sate ROME 
RSE: 0 Type of LB: application 
2 First Discovered On: August 14, 2020 1:59 AM 
Security Group 1 
Last Updated On: October 15, 2020 1:28 PM 
F Subnet 2 
Controls Failed: 2 
Location: 
Account ID: 63: 
Region: N. California (us-west-1) 
Network: 
> Availability Zones (2) 


When viewing EC2 instances, the filters at the top identify the number of instances without the Qualys 
Cloud Agent, number of instances with public IP, number of instances configured as docker hosts, and 
number of instances with vulnerabilities. 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


[EBENEN 


Instance v Q search for resources discovered... Last 24 Hrs 
Without Agents With Public IP Docker Hosts With Vulnerabilities 


Qualys CloudView automatically detects EC2 instances that have been scanned for vulnerabilities using 
the Qualys Vulnerability Management/VMDR application. 


Also, the Group By options can be used to gain insights into how your instances are distributed across 
different attributes: 
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Resource.type: Instance ©? v | instance | Vulnerability Group By: Region © v Y Filters v 1-140f 14 

REGION INSTANCE COUNT 

N. Virginia 241 
N. California Instances Grouped 91 

by Region 

Ohio 36 
Oregon 1 7 
Tokyo 1 3 


Resource.type: Instance ©? v [ instance. | Vulnerability Group By: Age © v Y Filters v 1-2of 2 


VULNERABILITY AGE VULNERABILITY COUNT 


31-60 days Vulnerabilities 


1188 
grouped by Age 


More than 180 days 890 


By default, vulnerabilities of type Information, Fixed, Ignored, and Disabled are excluded from results: 


Y Filters v 
Excluded Vulnerabilities 


L. Information MEM 
Fixed 


Ignored 


Disabled 
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Qualys CloudView - Dashboard 


Lab 5 - https: 


ior.ad/7Qk3 


Dashboards provide insights into your cloud accounts by way of widgets — each widget represents a 
piece of data. For example, widgets could represent: 
e Resource distribution by type 
e Control failure distribution by criticality 


e Top 5 accounts by failed controls 


e Top 5 failed controls 
e Count of public storage buckets 
e Count of public virtual machines / EC2 instances 


Qualys CloudView provides default widgets that can be used to build dashboards. 


| AWS-Dashboard ~ 


| 


Last24Hrs v 


RESOURCE DISTRIBUTION BY TYPE 


Security EBS Instance 
Group Volume 


SECURITY POSTURE BY REGIONS 


426 
. 


| TOP 5 ACCOUNTS BY FAILED CONTROLS 


qualys-dev 


qualys-dey 


IAM User Route Network vec 
Table ACL 


99 
83 


FAILURES BY CONTROL CRITICALITY 


Total Failures 


a HGH 1331 
M MEDIUM 2297 
ow 138 
Ea — 
Internet Lambda 
Gateway Function 
All Regions 


Total Resources 


4186 dl. .-N- ial 


Intern... Route..Load ... Secur.Instance VPC Lamb... SubnetEBS V..Netw.. RDS Auto... IAM 


O 


Total Failures 


3699 


gi GH 1316 
m Mev 


TOP 5 FAILED CONTROLS 


Ensure AWS EBS Volume snapshots are encrypted 598 
Criticaity LE 
Ensure that EBS Volumes attached to EC2 instances are encrypted 431 
Criticaity LE 
Ensure AMIs owned by an AWS account are encrypted 339 
Criticality RENI 
Ensure IAM policies are attached only to groups or roles 337 
Criticalty PETI 
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Qualys CloudView - Monitor 


Lab 6 - https://ior.ad/7Qku 


The Monitor tab shows a list of controls, their criticality, service to which the control belongs to, and the 
security posture - number of resources passing and failing a control, this allows you to identify control 
instances where configuration or action is required) 


Q Search... Last24Hrs v = 


TOTAL EVALUATIONS FAILURES BY CRITICALITY 


ee 451K 


25 ami =a 
@ FAA..........2.27K 


HIGH MEDIUM LOW 
1-122 of 122 
1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console... IAM 8 
: : — 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 TotiiResóuroes: 8 
2 Ensure console credentials unused for 90 days or greater are disabled IAM 8 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 SETER 
3 Ensure access keys unused for 90 days or greater are disabled ECE IAM 11 15 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 Total Rascurceś: 26 
4 Ensure access key1 is rotated every 90 days or less | HIGH | IAM 4 22 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 SEEN 
1 more. 
5 Ensure access key2 is rotated every 90 days or less IAM 3 2 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 Total Resources: 5 
| 6 Ensure IAM Password Policy is Enabled IAM 2 


Clicking a control will provide the following details: 
e Control id and statement 
e Policy to which the control belongs 
e Evaluation criteria 
e Platform (AWS, Azure, or GCP) 
e Service 
e  Criticality 
e Remediation Steps 
e List of resources passing and failing the control 


Use the search bar to query for specific controls: 
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service.type:IAM and control.criticality:HIGH and control.result:FAIL Last24Hrs v | = 
TOTAL EVALUATIONS FAILURES BY CRITICALITY 
HH -————— 
HIGH MEDIUM Low 
1-21 of 21 
D ONTROL NAM! TI 
1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password IAM 4 38 
Policy : Acme Policies Total Resources: 42 
Tmore 
2 Ensure console credentials unused for 90 days or greater are disabled IAM 1 4 
Policy : Acme Policies TRE 
3 more. 


Click a control name to know more details: 


< Control Evaluation: Ensure multi-factor a ication (MFA) is enabled for all IAM users that 

CID-1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password View Less X 
Policy: CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 Platform: AWS 
Evaluation: Check IAM Users having console password enabled has MFA Set to True. Service: IAM 


Manual 7 NA 
Remediation: Criticality: 
Q Search for evaluations... Last24Hrs v 


1-80f8 


VALUATED 0 RESULT 


T 2 hours ago Evidence 
arn: 
cy 2 hours ago FAIL Evidence 
arn: 
Ró 2 hours ago Evidence 
am. 
use 2 hours ago Evidence 
arm. 
sar 2 hours ago Evidence 
am 
or 2 haire ann NM Evidence 


Click Evidence to know why a control is failing: 
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RESOURCE ACCOUNT ID EVALUATED ON 


RESULT 


IT 2 hours ago 
am: 


EVIDENCE DETAILS MANUAL REMEDIATION STEPS View in AWS Console Re-evaluate 


| rac) Evidence 


Evaluation Summary 
First Evaluated: June 11, 2020 10:05 AM Last Reopened: - 
Last Evaluated: October 15, 2020 12:58 PM Last Fixed: - 
Evaluation Criteria 
Credential Report Generated Time Thu, 15 Oct 2020 10:27:42 UTC 
MFA Status Not Enabled 
Console Password Status Enabled 


Click Remediation Steps to know how a control failure can be fixed: 


RESOURCE ACCOUNT ID EVALUATED ON RESULT 
cid1-mfat an hour ago Evidence 
arn:aws:iarr 

EVIDENCE DETAILS MANUAL REMEDIATION STEPS View in AWS Console Re-evaluate 


Perform the following to enable MFA : 
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. 
2. In the navigation pane, choose Users. 
3. In the User Name list, choose the name of the intended MFA user. 
4. Choose the Security credentials tab. Next to Assigned MFA device, choose the edit icon. 
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Qualys CloudView - Policy and Controls 


PLAY d Lab 7 - CloudView Policy - https://ior.ad/70QI9 


PLAY J Lab 8 - CloudView Controls - https://ior.ad/7Qln 


The Policy tab within Qualys CloudView can be used to view policies and controls. A policy is a collection 
of controls. A control represents the evaluation of a datapoint on a monitored resource. 


CloudView provides out-of-the-box policies and also allows policies to be defined manually. System 
defined policies and controls cannot be deleted. System defined policies help in automated auditing and 
reporting on misconfigurations, unwarranted access, and non-standard deployments associated with 
various services. 


System defined policies for AWS: 
e AWS Best Practices Policy 
e AWS Lambda Best Practices Policy 
e AWS Database Service Best Practices 
e CIS Amazon Web Services Foundations Benchmark 


System defined policies for Azure: 
e Azure Best Practices Policy 
e Azure Function App Best Practices Policy 
e Azure Database Service Best Practices Policy 
e CIS Microsoft Azure Foundations Benchmark 


System defined policies for GCP: 
e GCP Best Practices Policy 
e GCP Cloud SQL Best Practices Policy 
e GCP Cloud Functions Best Practices Policy 
e GCP Kubernetes Engine Best Practices Policy 
e CIS Google Cloud Platform Foundation Benchmark 


To know the evaluation criteria of a control, click the control name and then click the Evaluation tab: 
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<- Control Details: Ensure console credentials unused for 90 days or greater are disabled 


View Mode . 
Evaluation 
Summary 
Specification Evaluation Description 
Policies ‘ : 
Check IAM Users having console password and have not used credentials for 90 days or more. 
Evaluation Changes in account credentials may take up to 4 hours to get reflected in the AWS IAM evaluations. 
the time when changes were made in AWS IAM 
Rationale 


Manual Remediation 


Evaluation Criteria 
References 


Last accessed AWS console days Greater than equals 


Criticality of all the controls can be changed: 


CID CONTROL NAME 


1 D Ensure multi-factor authentication (MFA) is enabled for all IAM users that hi : 
Service: IAM Quick Actions v 
2 [e Ensure console credentials unused for 90 days or greater are disabled View 
Service: IAM 
Change Criticality 
3 [e Ensure access keys unused for 90 days or greater are disabled 
Service: IAM 


Change Criticality 


Depending the impact, you want this control to have, you can set the criticality to High, Medium, Low. 


e (System Default) 
Controls with severe impact. 


Controls with medium impact. 
LOW 
Controls with minimal impact. 


Note: When you change criticality, the revised control criticality for existing evaluations is effective on Monitor view upon next 
connector run. 


Change Criticality 


Some controls can be copied and edited. These can be identified with a darker gear icon cd next to 
them. Or run a query to look for them: provider:"AWS" and isCustomizable:true 
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Controls 


>< provider:"AWS" and isCustomizable: true 


[] Actions (0) v WS THE] 


CID CONTROL NAME PLATFORM 


2 [e] Ensure console credentials unused for 90 days or greater are... aws 
Service: IAM 

3 «m Ensure access keys unused for 90 days or greater are disabled aws 
Service: IAM 

4 Fe: Ensure access key1 is rotated every 90 days or less aws 
Service: IAM 


Editing a control allows you to change the evaluation description, evaluation parameter, evaluation 
message, control description, rationale, remediation steps, and references. 


Create new policy 
e Creating a new policy allows you to add the required controls for evaluation. 
e A policy can only reference controls of a specific provider — AWS, Azure, or GCP: 


Policy Details 


Provide the details needed for policy creation. 


Name * 


Demo 


Description 


Provider * 


AZURE 


Selected provider 


UM ECHI 


e When creating a new policy, it can be applied to specific connectors or groups. This allows you 
to limit evaluation only to a subset of your resources: 
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< Create: Policy 


STEPS 3/4 
Choose Connectors 


Tell us the connectors you want to analyze for compliance with this policy. 
| Basic Details 


Select Controls You can select a combination of groups and connectors, and we'll evaluate the policy against all matching 
connectors. 
Choose Connectors 
F Groups 
4 Review 
Select the Groups... Y 
Connectors 
AWS-SD-Connector * ev 


Cancel | Previous | Next 
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Qualys CloudView — Responses 


PLAY J Lab 9 - https://ior.ad/7Qpv 


CloudView allows you to set up rules to alert you and keep you aware of resources that fail certain 
critical control evaluations and allow for fixing resource misconfigurations. 


For example, you can set up alerts for: 
e Resources failing a control 
e Evaluation result of highly critical controls 
e Evaluation result of controls of specific policy 
e Resources failing in the latest connector run 


To configure responses: 
1. Define actions that the rule must take in response to the alert 
2. Setup your rules in the Rule Manager tab 


There are three action type that you can configure: 

1. Send Email (Via Qualys) / Send Email (Your SMTP) - Specify the recipients' email ID who will 
receive the alerts, subject of the alert message and the customized alert message. 

2. Send to PagerDuty account - Provide the service key to connect to your PagerDuty account. In 
Default Message Settings, specify the subject and the customized alert message 

3. Postto Slack account - Provide the Webhook URI to connect to your slack account to post alert 
messages. In Default Message Settings, specify the subject of the alert message and the 
customized alert message 


< Create New: Action 


Basic Information 
Action Name * 


Email Cloud Admins 


Description * 


This action will send an email to Cloud Admins. 


Select Action * 


Send Emąji(Via Qualys) 
Post to Slack 


Send to PagerDuty 


Cancel 
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Rules can be used to define the criteria to trigger the alert notifications. You can use our pre-defined 
search tokens and form the queries for the criteria. You can then associate an action to be executed 
when the criteria defined in the rule is met. 


<— Create New: Rule 


Rule Details 


Provide the following information to create the rule 


Rule Information 


Rule Name * 


Alert for failed high criticality Azure controls 


Description * 


This rule will trigger when high criticality controls of Azure fail evaluation 


Rule Query 
Provide a query to match particular source that will trigger the alert 


Rule Query * 


AZURE Monitor X  control.criticality:HIGH and control.result:FAIL 


Sample Queries 


Trigger Criteria 


Trigger Criteria: 


Single Match — select this if you want the system to generate an alert each time the system detects an 
event matching your search query 


Time-Window Count Match — select this when you want to generate alerts based on the number of 
events returned by the search query in a fixed time interval. For example, an alert will be sent when 
three matching events are found within 15 minutes window. 


Time-Window Scheduled Match — select this when you want to generate alerts for matching events that 
occurred during a scheduled time. The rule will be triggered only when an event matching your search 
criteria is found during the time specified in the schedule. Choose a date and time range for creating a 
schedule and specify how often you want to run the schedule for example, daily, weekly, and monthly. 
For example, send daily alerts with all matches in a scheduled window between 4 pm and 5 pm. 
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Rule Query 


Provide a query to match particular source that will trigger the alert 


Rule Query * 


AZURE Monitor X  control.criticality:HIGH and control.result:FAIL 


Sample Queries 


Trigger Criteria 
Provide the match criteria 


Trigger Criteria * 


Single Match 
One alert for one match 


Time-Window Count Match 
e.g. Alert only when there are 3 matches within 15 mins window 


Time-Window Scheduled Match 
e.g. Alert with all matches in a scheduled window from 9am-5pm 


To manage alerting rules, the user will need alerting permissions. You can provide these from the 
Administration module: 


Role Creation Turn help tips: On | Off x 


Step 2 of 3 Edit permissions for this role 


1 Role Details x^ Role Permissions by Modules (12) Remove All 


o Permissicne 7 CloudView Manage alerting Remove 


permissions 
3 Review And Confirm » Manage Remediation Permissions (1 0j 
v Alerting Permissions (7 of 7) 
Alerting Access 
Create, Edit, Delete your own Action 
Edit any Action 


Delete any Action 


Create, Edit, Delete your own Rule 


Edit any Rule 


Delete any Rule 


» CLOUDVIEW Permissions (4 of 4) 


Qualys CloudView — Remediation 


Lab 10 - https://ior.ad/7Qaf 


CloudView continuously discovers resources from your public cloud deployments and assesses them for 
misconfigurations and non-standard deployments. With Remediation capability enabled, CloudView 
allows for remediation of misconfigurations and also allows resource actions to be performed — such as 
removing an attached IAM role on an EC2 instance and stopping an EC2 instance. 


Configure Connector for Remediation 


Edit Connector 


FO g eque V 
Configure the interval at which the connector should fetch data from AWS cloud provider. 


Hours Minutes 


4 0 


Authorization Details 


Qualys AWS ID 


External ID * 


Cross Account ARN * 


arn:aws:iam::6361 :role/QualysCloudViewRole2 


< 


Enable Remediation «———— 


Remediation allows you to resolve misconfigurations and execute actions against resourt 
connector has write access to the AWS account for which you enable remediation. 


Create Connector in AssetView 


Select to automate creation of same connector in AssetView. Ensure that your account hi 
permissions in AssetView module for the connector to be created in AssetView. 


The first step is to enable Remediation on the connector. Create a new connector or edit an existing 
connector and enable the Remediation feature. 


Once enabled, the connector will require write permissions to perform resource actions. 


Assign write access to AWS Connectors 
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From the AWS Management console, navigate to IAM > Policies > Create Policy. Create a new policy 
with the following permissions: 


Create policy 


A policy defines the AWS permissions that you can assign to a user, group, or role. 


Visual editor JSON 


"Version": "2012-10-17", 
|^ "Statement": [ 
i" d 
"Sid": "RemediationPermission", 
"Effect": "Allow", 
7 "Action": 
8- L 
9 "ec2:RevokeSecurityGroupIngress", 
"ec2:AuthorizeSecurityGroupIngress", 
"ec2:DisassociatelIamInstanceProfile", 
"ec2:StopInstances", 
"s3:PutBucketPublicAccessBlock", 
"rds:Modi fyDBInstance" 
J, 


"Resource": "*" 


Once created, attach the policy to the IAM Role being used by the connector. 
Assign write access to Azure Connectors 
From the Azure portal, navigate to Subscriptions > Access Control (IAM) > Add > Add Custom Role 


Create a custom role with the following permissions: 


Create a custom role 
9 Got feedback? 


Basics * Permissions Assignable scopes JSON Review + create 


+ Add permissions -+ Exclude permissions 


Click Add permissions to select the permissions you want to add to this custom role. 
To add a wildcard (*) permission, you must manually add the permission on the JSON tab. Learn more c? 
To exclude specific permissions from a wildcard permission, click Exclude permissions. Learn more c? 


Permission 14 Description 14 Permission type 
Microsoft.Sql/servers/firewallRules/delete Deletes an existing server firewall rule. Action 
Microsoft.Storage/storageAccounts/write Creates a storage account with the specified par... Action 
Microsoft.Storage/storageAccounts/blobServices/containers/write Returns the result of put blob container Action 


Microsoft.Network/networkSecurityGroups/write Creates a network security group or updates an... Action 


After creating the custom role, assign it to the app you created earlier. 


Assign write access to GCP Connectors 
From the GCP console, navigate to IAM 8. Admin > Roles > Create Role, and create a role with the 
following permissions: 


€ Create Role 


Custom roles let you group permissions and assign them to members of your project or 
organization. You can manually select permissions or import permissions from another 
role. Learn more 


Title * 
Custom Role 


Description 
Created on: 2020-10-27 


ID* 
CustomRole985 


Role launch stage 
General Availability v 


-+ ADD PERMISSIONS 


No assigned permissions 


= Filter table e W 
Permission 4S Status 
bigquery.datasets.update Supported 
cloudfunctions.functions.setlamPolicy Supported 
cloudsql.instances.update 
compute.firewal te 
compute.firewalls.update Supported 

s.setMetadata Supported 

Supported 


Supported 


(m 
(m 
o 
Im 
(m 
(m 
O 
im 
[m 


After creating the role, add it to the member that was used for creating the GCP connector. 
Remediating Controls 


Once the connectors have been configured, CloudView will identify controls that can be remediated. 
This can be seen from the Monitor tab. 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Q Search... Last 24 Hrs 
TOTAL EVALUATIONS FAILURES BY CRITICALITY REMEDIABLE 
6.00K 
Mim.  |63— 
0 


HIGH MEDIUM Low Failed Evaluations 


Click the count of remediable controls and use the search query - isRemediable:true and 
control.result:FAIL to identify them. 


< Control Evaluation: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 


CID-41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 View More Y 
24 isRemediable:true and control.result:FAIL Last24Hrs v 
Oo Actions (0) ¥ 1-50 of 86 

RESOURCE ACCOUNT ID REGION EVALUATED ON RESULT REMEDIATION 
sg-0c53f5d962942b82b 383031258652 N. Virginia an hour ago Evidence — 
sg-0a223e9608c72683a 383031258652 N. Virginia an hour ago Evidence 


To remediate a resource, click the Remediate Now button. 


Remediate Resources 
Applicable Resource (1) 


sg-0c! 


REMEDIATION PROCESS 

For each rule of the failed Security Group, the following cases are handled in the remediation: 

CASE 1: 

If Protocol is ALL(*) and source is 0.0.0.0/0 or ::/0, then remediation deletes this rule using revokeSecurityGroupingress(). 
CASE 2: 

If Protocol is TCP and Port is 22 and source is 0.0.0.0/0 or ::/0, then remediation deletes this rule using revokeSecurityGro| 
CASE 3: 

If Protocol is TCP and Port is given in range X-Y i.e. X<22<Y and source is 0.0.0.0/0 or ::/0, then remediation: 


* deletes the existing rule using revokeSecurityGroupingress(). 
* creates a new rule with port range as X - 22 using authorizeSecurityGroupingress(). 
* creates a new rule with port range as 22 - Y using authorizeSecurityGroupingress(). 


NOTE: Remediating this resource may result in user losing SSH access, whose IP is not whitelisted in rules. 


Comments * 


Removing rule that's causing control failure <—— 


206/250 charac! 


JL , authorize to execute remediation actions on the selected resources. 
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Review the actions that will be performed, provide comments and click Remediate. 


Resource actions such as removing an attached IAM role and stopping an EC2 instance can be 
performed from the Resources tab 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 
[-- ee 
Instance vy Q Search for resources discovered... + Last 24 Hrs 
Without Agents With Public IP Docker Hosts With Vulnerabilities 
| Resource.type: Instance © v Vulnerability | ( Group By:... Y ] | Y Filters v | 1-50 of 478 B 
EC2 INSTANCE ID ACCOUNT ID REGION STATE FIRST ACTION 
i-0c202cd49c5b8390f 205767712438 N. California Running October 27, 2020 5:43 AM E 
> Stop instance 
kgaurav_Us2-reg 
i-065a36fdf9d8a63a1 205767712438 N. Virginia Running October 26, 2020 5:42 PM - 
Stop Instance 
btest-qscfim 


Verify the resource and account details, provide comments, and execute the required action. 


Stop Instance 


When you stop instances, the data on the ephemeral storage of the instance is 
lost. The data lost is not recoverable. 


NSTANCI ACCOUNT ID REGION 


i-0c202 N. California 


Comments * 


Stopping instance 


- - 8 5 A 
233/250 characters remaining 


l, , authorize to execute action on the selected resource. 


Cancel Execute Action 
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Qualys CloudView - Exceptions 


Lab 11 - https://ior.ad/7Qr1 


Use to exempt certain cloud resources from a particular control or temporarily change the status of a 
resource for a particular control from Failed to PassE (Pass with Exception). 


First, use this query to identify controls with failed resource evaluations - resource.result:FAIL 


DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 


Identify resources that 


have failed evaluation 
X  resource.result:FAIL © Last 24 Hrs 


TOTAL EVALUATIONS FAILURES BY CRITICALITY REMEDIABLE 


||| REJ 725 
Ep EB — 


Failed Evaluations 
MEDIUM 


1-50 of 114 D) C olm 


CONTROL NAME CRITICALITY SERVICE SECURITY POSTURE 


Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password E Medium 10 
Policy : Custom Policy-VK Total Resources: 10 
|1 more | 


Ensure console credentials unused for 90 days or greater are disabled B Hio 10 


1 
Policy : Custom Policy-VK Total Resources: 10 


b more | 


Then view the resources associated with the control, select the desired resource, and use the "Create 
Exception” option. 
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< Control Evaluation: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 


CID-42 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 


7X  resource.result:FAIL 


Actions (1) w 


RESOURCE ACCOUNT ID REGION 


sg-Off2 Bi LEE Mumbai 
Quick Actions 


sg-0a658da84 view Resource Details Frankfurt 


Re-evaluate Create exception 
sg-0364691b; for failed resource London 
Remediate Now 
Create Exception 
sg-Ofac2c7d3 7 
Show other control failures for this resource 


sg-0e971042( Show all failures for this account N. Virginia 


Until the exception end date, the resource has a status of "Passed with Exception". After the end date, 
the resource will have a status of "Failed". 


<- Create Exception 


STEPS 1/4 : . 
Basic Details 


@ Basic Details Provide the basic details for exception creation. 


2 Scope Information 


i » 
Exception Name Provide a reason for 


Select Control 
3 Select Controls sg-0ff2 exempted from CID 42 control exception 


4 Review Exception 
Reason * 


False Positive © Risk Accepted Other 


Explanation * 


Define exception start 
and end date 


4 
164/250 characters remaining 


Exception Start Date * Exception End Date * 


10/14/2021 12/31/2021 


Under the "Scope Information" section, you can apply the exception to: 
e Resource — choose this to create exception at resource level and the exception is applicable only 
for the selected resource 
e Connector — choose to create exception for all resources in the account associated with the 
connector 
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<- Create Exception 


STEPS 2/4 i 
Scope Information 


Basic Details The following scope will be associated with the exception. 


Scope Information Scope * 


Select Controls ~ 
© Resource | . Connector 


Review Exception 
RESOURCE TYPE 


sg-Off2 Security Group 
Account Id: 636 


| Cancel || Previous | 


DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 


Policy Controls Exceptions 


Q Search for exceptions.. 


[] Actions (0) 


TITLE REASON MODIFIED BY MODIFIED ON EXPIRATION 


sg-Off2 exempted from CID 42 Risk Accepted Oct 14, 2021 Dec 31, 2021 


Logging not required for cloudviewdemobucket Risk Accepted Sep 21, 2021 Sep 22, 2021 


< Control Evaluation: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 


CID-42 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 


X  resource.id:sg-0ff2 


Resource 
passed with 


Actions (0) w 
O exception 


RESOURCE ACCOUNT ID REGION EVALUATED ON RESULT 


sg-0ff2 636 Mumbai 25 minutes ago Evidence 


sg-04c: 25 minutes ago AS Evidence 
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Qualys CloudView - Reports 


PLAY ] Lab 12 - https://ior.ad/7QsK 


Reports can be used to focus on specific information — such as a specific policy, or specific connectors 
only. 


When running a report, you'll first need to build a template. Within a template you'll define the settings 
you want to use to build your report, for example: 

e Provider — AWS / Azure / GCP 

e Report type — policy-based or mandate-based 

e Policy or mandate to run the report 

e Connectors or groups 


Mandates are regulatory requirements, best practice standards or compliance frameworks designed by 
Security/business driven communities and/or government bodies. For a full list of supported mandates, 
refer to the Qualys CloudView user guide - https://www.qualys.com/docs/qualys-cloud-view-user- 


guide.pdf 


when running a mandate-based report, a policy and a mandate need to be selected. 


Cloud Provider * 


AWS 


Report Type 


Policy (© Mandate 


Select Policies * 


AWS Best Practices Policy AWS Lambda Best Practices Policy 


Select Mandate * 


CIS Critical Security Controls (Top 20) 


Select Format * 


On-Screen Report 


The On-Screen Report displays the latest data and is available only for viewing. The On-Screen Report can... 


31 


Qualys CloudView — Grouping Connectors 


Connectors can be assigned to groups. A group may contain multiple connectors and a connector may 
belong to multiple groups. This allows you to include multiple connectors in a policy or report by 
including the group that's assigned to the connectors. 

Thinks of groups as tags that you may have seen in other Qualys applications — these are labels applied 
to connectors. 


Configure Base Account Group by... v 


v Actions (1) v 


Z w'  cv360 test 


Quick Actions v 


View 


Run 


Apply group to 
connector 


Delete 
Assign Group 
Show Resources 


Show Errors 


Assign Group to Connector 


Begin typing to create a new group or select existing groups. 


Groups can also be used to define the scope of users. 


Qualys CloudView - User Management 


Lab 13 - https://ior.ad/7QsO 


Users with Manager role are able to view all resources in CloudView. To limit access, sub-users with 
limited privileges may be created. Only users with Manager permissions can create sub-users from the 
Administration module. After creating a user, assign a role with access to CloudView to provide 
permissions. 


Role with all privileges on CloudView: 


Role Creation Turn help tips: On| Off x 
Step 2 of 3 Edit permissions for this role 
1 Role Details v 
Select modules which this role should have access. For each role you can define which permissions would be granted 
(2) Permissions 
3 Review And Confirm Modules Search for module and add to list M 


Role Permissions by Modules (3) Remove All 


Re 
CloudView emove 


» Manage Remediation Permissions (1 of 1) 
Y CLOUDVIEW Permissions (2 of 4) 
CLOUDVIEW UI Access 
CLOUDVIEW API Access 
C) cLOUDVIEW Readonly Access 


C.) CLOUDVIEW API Readonly Access 


A sub user with all privileges (see above image) has full access in CloudView except creating and 
managing other users. 


Role with read only privileges on CloudView: 
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Role Creation 


Step 2 of 3 


1 Role Details + 


© Permissions 


3 Review And Confirm 


Edit permissions for this role 


Turn help tips: On | Off x 


Select modules which this role should have access. For each role you can define which permissions would be granted 


Modules 


Search for module and add to list 


Role Permissions by Modules (5) 


CloudView 


CLOUDVIEW UI Access 


CLOUDVIEW API Access 


» Manage Remediation Permissions (1 of 1) 


¥ CLOUDVIEW Permissions (4 of 4) 


CLOUDVIEW Readonly Access 


CLOUDVIEW API Readonly Access 


Remove All 


Remove 


A sub user with reader privilege (see image above) can only view data. 


The following table outlines the privileges granted to users with different roles: 


Operations 


Create New Users 
Grant Access to Sub- Users 


Update Access of Existing 
Users 


Create and Assign Groups 
to Connectors 


Manage Connectors 


Manage Policies and 
Controls 


Customize Controls 
Reports 
Dashboards 


User Sub User 
(Manager 

role) 

Yes No 
Yes No 
Yes No 
Yes No 
Yes No 
Yes Yes 
Yes Yes 
Yes Yes 
Yes Yes 


Sub User 
(Reader role) 
No 

No 

No 


No 


No 
No 


No 
View only 
Yes 
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Access Management 


PLAY À Lab 14 - https://ior.ad/7Qx5 


Groups can be used to limit the scope of users. When a group is assigned to a user, he/she is only able to 
access resources of connectors that belong to the group. 


< Access Details: quays3cu1 


Access Details 


Assign the connectors and regions to define the scope for quays3cu1. 


Manage the access based on groups 


Dev Connector 


The above image shows a group assigned to a user's profile. This will restrict the user's access to 
resources that belong to the connectors associated with the group. 


It is also possible to limit the scope of the user by specifying connectors and regions. In the below image, 
the user's access has been limited to three regions belonging to one connector: 


< Access Details: quays3cu1 


Connectors and Regions 
Manage the access for each cloud provider by assigning connectors or regions 
Amazon W rvi 
aws AK l Edt 
e Manage AWS access by accounts and regions 
A Scope 
Accounts 
AWS-Connector(63612... 
Regions 
Mumbai(ap-south-1) London(eu-west-2) N. Virginia(us-east-1) 


The above image shows a user's scope restricted by connector and regions. 


Qualys Cloud Security Certification Exam 


Participants in the Qualys Cloud Security training course have the option to take the Cloud Security 
Certification Exam. This exam is provided through our Learning Management System (LMS) at 
qualys.com/learning — candidates will need an account on this system to take the exam. 


©) Qualys. Training 8 Certification 


Please log in to the Qualys training site. First time users 
need to create an account. 


*Required Field 


* Username: 
* Password: 
Forgot your password? Request a new account. 4——— 


If you would like to take the exam, but do not already have a “learner” account, click the “Request a 


new account” link, from the LMS at http://qualys.com/learning. 


Once you have created a “learner” account (and for those who already have an account), click the 
following link to access the “Cloud Security Assessment and Response — QSC 2021” course page: 
https://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&id=22511237817 
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Course Catalog: Class Details 
Course: Cloud Security Assessment and Response - QSC 2021 


To see how a class below fits into your schedule, click View My Class Schedule. 


CLASS DETAILS: CLOUD SECURITY - QSC 2021 
Course Name: Cloud Security Assessment and Response - QSC 2021 
Class Name: Cloud Security - QSC 2021 
Class Code: 2250729076520210917124821 
Contact Name: Shyam Raj 
Private Class: Yes 
Maximum Class Capacity: 5000 

Class Cost: $0.00 


Click here 
to enroll 


Session Location Classroom Address Address City Postal Instructor(s) 
Name a Code 


Session 1 N/A Tuesday, November 16, 2021 9:00 AM to 1:00 PM 


(America/Los_Angeles) (UTC -07:00) 
View My Class Schedule 


From the “Cloud Security Assessment and Response — QSC 2021” course page, click the “Enroll” button 
(lower-right corner). 


After successfully completing the course enrollment, click the "Launch” button, for the Qualys Cloud 
Security Assessment Exam. 


Class Name Date Location Classroom Instructor(s) 
Cloud Security - QSC 2021 Tuesday, November 16, 2021 9:00 AM to 1:00 PM (America/Los_Angeles) (UTC -07:00) N/A N/A Shyam Raj 


To access a learning activity, select the activity name and click Launch or Open. 


Click here to launch 
the exam 


Activity Name a Type Score Progress Last Accessed Time Taken Attempts 


Qualys Cloud Security Assessment and Response Exam - 2.0 Actual Test 93% Passed 9/23/2021 9:09:59 AM Oh 5m 


Each candidate is provided five attempts to pass the exam. 
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Cloud Security Assessment and Response - QSC 2021 Close Record 
I 


Click here to print 


Progress: Completed Status: Enrolled Required: No Duration: 4 hours 


— Activities 


Class Sessions 


Class Name Date Location Classroom Instructor(s) 
Cloud Security - QSC 2021 Tuesday, November 16, 2021 9:00 AM to 1:00 PM (America/Los_Angeles) (UTC -07:00) N/A N/A Shyam Raj 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name a Type Score Progress Last Accessed Time Taken Attempts Action 


Qualys Cloud Security Assessment and Response Exam - 2.0 Actual Test 93% Passed 9/23/2021 9:09:59 AM Oh 5m 2 


With a passing score of 7596 (or greater), click the "Print Certificate" button to download and print your 
course exam certificate. 


Training Survey 
Please take a moment to take the survey about today's training - https://forms.office.com/r/rsyOAja6Xz 
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